Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Users and passwords
Can you give easy explanation about
1) A.9.2.2
2) A.9.2.4
3) A.9.3.1
4) A.9.4.3
Sometimes, i have a little confuse about this
Answer:
Sure, I will give you an example for echa one:
1) A.9.2.2 User access provisioning: I give you an user with privileges of read/write to a folder (according to a procedure)
2) A.9.2.4 Management of secret authentication information of users: I give you your password in a secure manner (according with a procedure), for example: the organization needs to verify your identity, the use of external parties or unprotected electronic messages should be avoided, you should acknowledge receipt of secret authentication information, etc.
3) A.9.3.1 Use of secret authentication information: You should follow the organizations practices in the use of passwords, for example: not share individual users secret authentication information, ensure proper protection of passwords, not use the same secret authentication information for business and non-business purposes, etc
4) A.9.4.3 Password management system: You use in your organization a software to manage passwords, for example Active Directory (Windows environments), OpenLDAP (Linux and Windows environments) -
Procedure for identification of Requirements
Im currently writing on Procedure for Identification of Requirements, Im having difficulties figuring out the requirements, can you give me some examples?
Answer:
Sure, welcome back. The most important point here is to identify the applicable laws in your country. Here you can find a list of international laws related with information security: https://www.infosecpedia.info/laws-regulatio*******************************************
Another important point is the identification of interested parties, and here you can find more information about this How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
Doing risk assessment department wise
ISO 27001 does not define how you should organize risk assessment - in any case, for all of your departments you should use the same risk assessment methodology. However, if your company is not very small, i.e. if it is bigger than 20 employees, it would be good to organize risk assessment by departments because it makes it easier to speak to the right people.
See also this article: How to organize initial risk assessment according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/04/29/how-to-organize-initial-risk-assessment-according-to-iso-27001-and-iso-22301/ -
Registered Implementer
I am looking at giving the certification a shot this quarter as a step towards becoming a registered implementer after which your very robust tools will come handy but in the immediate, I will require advise from you an tips for engaging the certification exam.
Answer:
I suppose that you know that there are no accreditations for the Lead Implementer course, so maybe can be interesting for you the ISO 27001 Lead Auditor course, because it has accreditations. Anyway, we do not have specific information about the exam of the Implementer course, but I think that this article can help you Lead Auditor Course vs. Lead Implementer Course Which one to go for? : https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/ -
ISO software
I was wondering if you could give me your opinion on all-inclusive ISO Software. I have worked with ISOXpress in the past and thought it worked good but I was wondering if you knew of any others or could recommend any other software?
Answer:
Sorry but we do not have information about this tool, keep in mind that to have a tool in your Management System is not mandatory, anyway this article can be interesting for you When to use tools for ISO 27001/ISO 22301 and when to avoid them : https://advisera.com/conformio/blog/2021/06/24/toolkit-vs-conformio-which-is-more-applicable-for-my-company/ -
Partnerships under clause 4.1 and/or 4.3
I have another quick question. Should I define any partnerships under clause 4.1 and/or 4.3? Or should they be incorporated only into the subcontractor policy and procedures?
Answer:
Sure, you can define your partnerships under the context of your ISMS, and you can also consider a partnerships like a interested party (clause 4.2 Understanding the needs and expectations of interested parties), so this article can be interesting for you How to identify interested parties according to ISO 27001 and ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301// -
BCP template
Looking for BCP template preview.
I want to implement the basic business continuity and recovery planning and implementation of ISMS practices.
i have gone through the ISMS domain and controls applicable in 27001:2013, trying to see what I can added up as per the standards (based on the current practices we have in the organization).
Answer:
You can implement only a Disaster recovery plan as a minimum to be compliant with A.17.1.2 and A.17.2.1 of the ISO 27001:2013, remember that the Business Continuity Plan and the Disaster Recovery are not the same, please read this article Disaster recovery vs. Business continuity : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
Anyway, here you can find a template for the BCP, you can see a free version clicking on Free Demo tab : https://advisera.com/27001academy/documentation/business-continuity-plan/ and for the Disaster Recovery Plan : https://advisera.com/27001academy/documentation/disaster-recovery-plan/
Also here you can find an article that wil l help you to write a BCP for your organization How to write business continuity plans? : https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/ -
Audit ISO 27001:2005
I have audited (Compliance audit and not certification audit) a client in Feb 2015 for ISO 27001 : 2005 standard. I also indicated all 2005 version certificates are expiring by 30th Sep 2015. My client was explaining old standard doesn't expire and as long as he wishes, he can comply to old standard and it is not must to upgrade to 2013 version. Is this correct?
Answer:
I am afraid that it is not true. This year all certification bodies in the world have to update to ISO 27001:2013, which means that all companies with a certificate of ISO 27001:2005 needs to adapt to ISO 27001:2013. If not, they can lost the certificate, although can maintain the ISMS implemented.
Anyway, there are no main changes in the new revision, so I think that there are no excuses for no updating. Here you can find more information about the transition How to make transition from ISO 27001 2005 revision to 2013 revision : https://advisera.com/27001academy/knowledgebase/how-to-make-a-transition-from-iso-27001-2005-revision-to-2013-revision/ -
Security board/council
What I was wondering in a few occasions in general is Security Board/Council mandatory for certifications by ISO Standards or just best practice?
Answer:
If you mean with Security Board/Council a group of people to manage the ISMS (I have seen this name in some organizations: Security committee"), it was mandatory in the old version of the standard ISO 27001:2005, but in the current version ISO 27001:2013 it is just a best practice.
Finally, I think that can be useful for you to know the list of mandatory documents (and non mandatory) so please see this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ -
Tema de Tesis: ISO 27001
En realidad yo quiero usar la ISO 27001 PARA UN TEMA DE TESIS y espero pueda ayudarme con algunas dudas.
Respuesta:
Claro que sí, puedes preguntarnos todas tus dudas. En cualquier caso, este trabajo académico relacionado con la implementación de un SGSI (soy el Director de dicho trabajo, desarrollado por uno de mis alumnos), puede ser interesante para ti: https://openaccess.uoc.edu/webapps/o2/bitst******************************************
También puede ser interesante este artículo (en inglés) "The biggest shortcomings of ISO 27001" : https://advisera.com/27001academy/blog/2011/03/21/the-biggest-shortcomings-of-iso-27001/